Posts tagged: Sefnit Worm

In August 2013, 4 million infected computers woke up and waited instructions from their master.

The pathogen was Sefnit, a nasty bit of malware that makes infected computers mine bitcoins. Once the computers woke up, they worked under the command of Ukranian and Israeli hackers named Scorpion and Dekadent. The malware communicated with the two by downloading Tor, the powerful anonymizing software, and talking over encrypted channels. It was the first time a botnet, as a collection of slave computers is called, used Tor in such a potentially powerful way.

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from people’s computers, without them even knowing it.

All of a sudden, the anonymous network grew from about 1 million users to 5.5 million, a jump that frightened even Tor’s developers.

“If this had been a real attacker, if the botnet had been turned against the Tor network, it probably would have been fatal, I think,” developer Jacob Appelbaum said in a speech at the Chaos Communication Congress in December.

On one level, Sefnit’s use of Tor was a mistake. That surge in users brought unwanted attention to the botnet at a time of heightened interested in the Tor network. And the malware, which has existed in various versions of Tor since 2009, specifically targeted Windows users, a fact that got Microsoft’s attention quickly.

To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used.

“That’s a lot of power that Microsoft has there,” Applebaum continued, raising his voice and laughing at the implications. “If you’re using Windows trying to be anonymous, word to the wise: Bad idea.”

It’s no small thing that Microsoft has the ability to reach into certain Windows installations and tear out the parts they deem dangerous, but Andrew Lewman, Tor’s executive director, says there’s little to worry about in this case.

“It sounds scary,” Lewman concluded, “until you realize users opt-in for the most part and agree to have their OS kept ‘secure’ by Microsoft.”

So, yes, Microsoft has the ability to reach into certain computers and delete programs. But, Lewman says, this is the way it’s always been—as long as the user agrees to it first.